b"February 14, 2002\nAudit Report No. 02-003\n\n\nControls Over Outlook Resources\n\x0cFederal Deposit Insurance Corporation                                                               Office of Audits\nWashington, D.C. 20434                                                                  Office of Inspector General\n\n\n\n   DATE:           February 14, 2002\n\n   TO:             Carol M. Heindel\n                   Acting Director, Division of Information Resources Management\n\n\n   FROM:           Russell A. Rau [Electronically produced version; original signed by Russell A. Rau]\n                   Assistant Inspector General for Audits\n\n   SUBJECT:        Controls Over Outlook Resources (Audit Report No. 02-003)\n\n\n   The Federal Deposit Insurance Corporation\xe2\x80\x99s (FDIC) Office of Inspector General (OIG) has completed\n   an audit of the controls associated with shared access to Microsoft Outlook (Outlook) folders. We\n   conducted this audit to assess the effectiveness of controls used to protect access to resources and\n   sensitive data that reside in Outlook folders. These folders include: Calendar, Contacts, Deleted Items,\n   Drafts, Inbox, Journal, Notes, Outbox, Sent Items, and Tasks. We initiated the audit because an FDIC\n   employee inadvertently gained unrestricted access to another employee\xe2\x80\x99s Outlook inbox when\n   attempting to view the latter employee\xe2\x80\x99s appointment calendar.\n\n\n   BACKGROUND\n\n   The FDIC uses Outlook to provide electronic mail (e-mail) and calendar services to its employees. In\n   addition to e-mail and group scheduling, Outlook provides for the creation and storage of information in\n   folders. One Outlook feature is the capability to share access to all folders, including the Inbox.\n   Individuals can set the properties for their Outlook account at their desktop to assign various permissions\n   to others, including the ability to send messages; and read, modify, create, or delete information in any of\n   the Outlook folders. These permissions can be useful when responding to important issues in situations\n   where the assigned Outlook user is unavailable. Some agencies expressly forbid individuals from\n   sharing access to personal e-mail accounts, but the FDIC does not want to limit this capability. The\n   Corporation\xe2\x80\x99s position increases the need for controls over the assignment of Outlook permissions to\n   provide adequate security over sensitive information that may reside in e-mail messages or Outlook\n   folders.\n\n\n   OBJECTIVE, SCOPE, AND METHODOLOGY\n\n   The objective of the audit was to assess the effectiveness of controls used to protect sensitive data that\n   reside in Outlook folders. We performed our audit between May and July of 2001 in accordance with\n   generally accepted government auditing standards.\n\x0cTo accomplish our objective, we assessed Outlook sharing capabilities by reviewing documents and\ninformation obtained by the Corporation from Microsoft. We reviewed backup files and audit logs and\ninterviewed Division of Information Resources Management (DIRM) personnel involved with maintaining\nOutlook, including individuals in the Local Area Network Management, Helpdesk, and Desktop\nManagement sections. We also evaluated the relative impact of the Corporation\xe2\x80\x99s anticipated upgrade\nto Windows 2000 and Office XP to determine whether the Outlook upgrade will improve security\ncontrols. We reviewed the Outlook settings of selected FDIC executives to determine the vulnerability\nof their personal Outlook accounts.\n\nAdditionally, the Corporation requested that we obtain \xe2\x80\x9cbest practices\xe2\x80\x9d of other federal agencies\nregarding sharing access to e-mail accounts. We obtained e-mail security procedures from the United\nStates Departments of Defense and Agriculture and the Board of Governors of the Federal Reserve\nSystem.\n\n\nRESULTS OF AUDIT\n\nThe FDIC\xe2\x80\x99s policies and procedures did not adequately protect data residing in Outlook folders.\nDIRM had not issued guidance to properly control the use of Outlook settings that can permit other\nsystem users to have access to information created by or intended for the original user. In addition,\nDIRM could not effectively monitor the individual settings of all employees because Outlook\npermissions are set at the user\xe2\x80\x99s desktop. Therefore, sensitive data residing in e-mail messages and\nOutlook folders may not have been adequately secured against unauthorized disclosure, deletion, or\nmodification. This security risk was increased because a feature of the current version of Outlook can\ncontribute to users inadvertently assigning access to their personal folders to all Outlook users.\n\n\nPOLICIES AND PROCEDURES FOR ACCESS TO OUTLOOK RESOURCES\n\nThe FDIC had not established policies and procedures that adequately addressed security over\nsensitive data that may reside in Outlook folders. Additionally, the FDIC had not alerted users of the\nrisks associated with sharing access to their Outlook folders, nor instituted a process to identify users\nwho had assigned Outlook permissions to others so that the Corporation could monitor and control the\npermissions assigned. Without adequate security controls, sensitive data residing in Outlook folders and\ne-mail messages were susceptible to unauthorized disclosure, deletion, or modification.\n\nOffice of Management and Budget (OMB) Circular A-130, Appendix III, Security of Federal\nAutomated Information Resources, establishes security requirements for federal automated information\nresources. The circular requires federal agencies to implement and maintain a program to ensure that\nadequate security is provided for all information collected, processed, transmitted, stored, or\ndisseminated. Such a security environment includes having qualified, trained security staff responsible for\ndetermining the sensitivity of the data and controlling access to the data.\n\n\n\n\n                                                  2\n\x0cSensitive information requires protection because of the risk and magnitude of loss or harm that could\nresult from inadvertent or deliberate disclosure, alteration, or destruction of the information. Sensitive\ninformation includes information whose improper use or disclosure could adversely affect the ability of\nan agency to accomplish its mission, proprietary data, records about individuals requiring protection\nunder the Privacy Act,1 and information not releasable under the Freedom of Information Act.2\n\nSensitive information is often included in e-mail messages and stored in Outlook folders. For example,\nthe Division of Supervision\xe2\x80\x99s bank-related information is considered highly sensitive, and information\nsecurity officers control data access. In addition, other divisions and offices transmit personal and\nfinancial data via e-mail. Sensitive data should be protected against unauthorized disclosure.\nAccordingly, the FDIC is implementing security enhancements such as the ability to encrypt e-mail\nmessages.\n\nHowever, the FDIC had not developed policies and procedures regarding Outlook security.\nSpecifically, FDIC Circular 1360.1, Automated Information Systems Security Policy, requires that\ninformation be protected at a level commensurate with the sensitivity of information processed, stored,\nor transmitted and provides that access to sensitive information will be based on business needs.\nSensitive data residing in the Outlook folders should be protected by the same level of security controls\nas other sensitive data, but the circular does not address shared access to e-mail accounts. Further,\nFDIC Circular 1370.3, Use of Electronic Communications, provides guidance to employees\nconcerning their responsibilities with respect to the use of e-mail, but does not address sharing access to\naccounts or sensitive data.\n\nIn addition, if individual users share access to their Outlook account, the assigning user determines who\nmay read the sensitive data. If the assigning FDIC user has not received appropriate training regarding\ntheir security responsibilities, there is increased risk of unauthorized disclosure and misuse of sensitive\ninformation.\n\nOther Federal agencies such as the Department of Defense and the Board of Governors of the Federal\nReserve System expressly forbid individuals from granting access to their personal e-mail accounts.\nHowever, the FDIC does not want to limit this capability. Accordingly, the Corporation needs to\ndevelop additional policies and procedures to protect sensitive data residing in Outlook folders and\nprovide its employees with guidance regarding the appropriate circumstances under which to do so.\n\n\n\n\n1\n  The Privacy Act of 1974 regulates the collection, maintenance, use, and dissemination of personal information by\nfederal government agencies.\n2\n  The Freedom of Information Act generally provides that any person has a right to obtain access to federal agency\nrecords, except to the extent that such records are protected from disclosure by exception or law.\n\n                                                       3\n\x0cOUTLOOK FEATURES FOR ASSIGNING ACCESS\n\nThe risk of unauthorized access and misuse of data residing in Outlook folders was increased because a\nfeature of the current version of Outlook can contribute to a user inadvertently assigning access to their\npersonal Inbox to all Outlook users. This risk became evident when an OIG employee inadvertently\ngained access to another user\xe2\x80\x99s Outlook Inbox while attempting to view the user\xe2\x80\x99s appointment\ncalendar.\n\nOutlook properties are set at the user\xe2\x80\x99s desktop. When a user assigns permissions to share his or her\nOutlook folders, the cursor will not automatically move to the intended assignee and may cause the user\nto select the default setting of all FDIC users. Additionally, because Outlook properties are set at the\nuser\xe2\x80\x99s desktop, DIRM could not effectively monitor the individual settings of all employees.\n\nWe reviewed the Outlook settings of selected FDIC executives to ensure they had not been\ninadvertently set to the default setting and found no such instances. In addition, by June 2002, DIRM\nplans to upgrade to Windows 2000 and the Office XP application suite. Our review of Office XP\nshowed that the Outlook default settings in this version are not automatically highlighted when a user\nattempts to assign permissions to share Outlook access with other users.\n\nHowever, until the upgrades are completed, the risk of unauthorized access will remain. Therefore,\nDIRM has agreed to develop procedures for security personnel to monitor shared access to Outlook\nfolders. DIRM security personnel or division and office Information Security Managers (ISM)\nestablished under the Corporation\xe2\x80\x99s new ISM program will be notified of individuals who have provided\nshared access to their Outlook folders and will periodically sample users to determine if access\npermission has been set as intended. In addition, a discussion of shared access to Outlook folders and\napproaches for controlling access to sensitive data will be included in the FDIC\xe2\x80\x99s security awareness\nefforts.\n\n\nRECOMMENDATIONS\n\nThe Acting Director, Division of Information Resources Management should:\n\n(1) Establish procedures for employees to notify DIRM security personnel or ISMs when sharing\n    access to Outlook folders so that the permissions assigned are consistent with what the user\n    intended.\n\n(2) Establish procedures to monitor the settings of individuals who have been authorized to share access\n    to Outlook folders to ensure that the permissions have been properly granted.\n\n\n\n\n                                                  4\n\x0c(3) Include in the FDIC\xe2\x80\x99s security awareness efforts a discussion of shared access to Outlook folders\n    and approaches for controlling access.\n\n\nCORPORATION COMMENTS AND OIG EVALUATION\n\nOn January 28, 2002, the Acting Director of DIRM provided a written response to the draft report.\nManagement\xe2\x80\x99s response, without the attachment suggesting editing changes, is presented in Appendix I\nto this report. The Corporation concurred with recommendations 1 through 3. These\nrecommendations will remain undispositioned and open for reporting purposes until we have determined\nthat agreed-to corrective actions have been completed and are effective. At DIRM\xe2\x80\x99s request we made\nseveral wording changes to clarify terminology in the report.\n\n\n\n\n                                                 5\n\x0c                                                                                              APPENDIX I\n                                              CORPORATION COMMENTS\n\nFederal Deposit Insurance Corporation\n3501 North Fairfax Dr., Arlington, VA 22226                                                    Office of the Director\n\n                                                      January 28, 2002\n\n\n\n TO:                   Russell A. Rau\n                       Assistant Inspector General for Audits\n\n FROM:                 Carol M. Heindel [Electronically produced version; original signed by Carol Heindel]\n                       Acting Director, Division of Information Resources Management\n\nSUBJECT:               Response to the Audit, Controls Over Outlook Resources (2001-918)\n\n\nThe Division of Information Resources Management (DIRM) has reviewed the subject draft audit\nreport, as revised and reissued electronically to DIRM by your staff January 14, 2001, and generally\nagrees with the findings. Responses to the recommendations are provided below.\n\nDIRM is also providing an edited copy of the draft report as an attachment to this response. The\nattachment provides requested language changes that our technical staff believe are important for clarity.\n\n\nManagement Decision:\n\nRecommendations: The Acting Director, Division of Information Resources Management should:\n\n(1) Establish procedures for employees to notify DIRM security personnel or ISMs when sharing\n    access to Outlook accounts so that the permissions assigned are consistent with what the user\n    intended.\n\nand\n\n(2) Establish procedures to monitor the settings of individuals who have been authorized to share access\n    to Outlook accounts to ensure that the permissions have been properly granted.\n\nDIRM Response: As indicated in the OIG\xe2\x80\x99s report, the primary risk associated with the current\nOutlook product will be resolved by the FDIC\xe2\x80\x99s conversion to Windows XP. In the interim, DIRM\nmanagement has agreed to send out a global email to all employees by February 15, 2002 explaining\nthe importance of controls associated with shared access to the Microsoft Outlook folders. The global\nwill provide the user with instructions on how to review their individual properties within their Outlook\naccount and determine that the settings are appropriate. Questions or support issues will be directed to\ntheir individual Information Security Managers (ISM) or the DIRM Helpdesk.\n\n(3) Include in the FDIC\xe2\x80\x99s security awareness efforts a discussion of shared access to Outlook accounts\n    and approaches for controlling access.\n\n\n                                                        6\n\x0c   DIRM Response: DIRM ISS will update the Information Security Website to include a\n   statement on effective controls used to protect access to resources and sensitive data that reside in\n   the Outlook folders. The website is updated quarterly. The next update will be completed by April\n   15, 2002.\n\nPlease address any questions to DIRM's Audit Liaison, Rack Campbell, on (703) 516-1422.\n\nAttachment\n\ncc: Vijay Deshpande, Director, OICM\n    Janet Roberson, Deputy Director, ITM\n    Michael Wong, Deputy Director, TIM\n    Sandy Velasquez, Assistant Director, Operations\n    Ned Goldberg, Assistant Director, Information Security\n\n\n\n\n                                                7\n\x0c"